RubyGems - ruby-sslyze - Versions diffs - 0.2.1 → 1.0.0 - Mend

ruby-sslyze 0.2.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

checksums.yaml +4 -4
data/.gitignore +6 -4
data/.travis.yml +15 -7
data/ChangeLog.md +29 -12
data/Gemfile +3 -2
data/LICENSE.txt +1 -1
data/README.md +5 -5
data/Rakefile +1 -1
data/lib/sslyze/cipher_suites.rb +176 -0
data/lib/sslyze/program.rb +8 -8
data/lib/sslyze/task.rb +40 -33
data/lib/sslyze/version.rb +1 -1
data/lib/sslyze/{certificate/domain_name.rb → x509/domain.rb} +5 -3
data/lib/sslyze/x509/extension.rb +15 -0
data/lib/sslyze/x509/extension_set.rb +140 -0
data/lib/sslyze/x509/extensions.rb +6 -0
data/lib/sslyze/x509/extensions/basic_constraints.rb +41 -0
data/lib/sslyze/x509/extensions/certificate_policies.rb +108 -0
data/lib/sslyze/x509/extensions/crl_distribution_points.rb +47 -0
data/lib/sslyze/x509/extensions/extended_key_usage.rb +58 -0
data/lib/sslyze/x509/extensions/key_usage.rb +66 -0
data/lib/sslyze/x509/extensions/subject_alt_name.rb +144 -0
data/lib/sslyze/x509/name.rb +194 -0
data/lib/sslyze/x509/public_key.rb +53 -0
data/lib/sslyze/xml.rb +26 -37
data/lib/sslyze/xml/attributes.rb +5 -0
data/lib/sslyze/xml/attributes/error.rb +30 -0
data/lib/sslyze/xml/attributes/exception.rb +30 -0
data/lib/sslyze/xml/attributes/is_supported.rb +29 -0
data/lib/sslyze/xml/attributes/is_vulnerable.rb +29 -0
data/lib/sslyze/xml/attributes/title.rb +31 -0
data/lib/sslyze/xml/certinfo.rb +67 -0
data/lib/sslyze/xml/certinfo/certificate.rb +202 -0
data/lib/sslyze/xml/certinfo/certificate_validation.rb +69 -0
data/lib/sslyze/xml/certinfo/certificate_validation/hostname_validation.rb +54 -0
data/lib/sslyze/xml/certinfo/certificate_validation/path_validation.rb +84 -0
data/lib/sslyze/xml/certinfo/certificate_validation/verified_certificate_chain.rb +41 -0
data/lib/sslyze/xml/certinfo/has_certificates.rb +102 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling.rb +45 -0
data/lib/sslyze/xml/certinfo/ocsp_stapling/ocsp_response.rb +87 -0
data/lib/sslyze/xml/certinfo/received_certificate_chain.rb +48 -0
data/lib/sslyze/xml/compression.rb +33 -0
data/lib/sslyze/xml/compression/compression_method.rb +38 -0
data/lib/sslyze/xml/fallback.rb +34 -0
data/lib/sslyze/xml/fallback/tls_fallback_scsv.rb +27 -0
data/lib/sslyze/xml/heartbleed.rb +38 -0
data/lib/sslyze/xml/heartbleed/openssl_heartbleed.rb +29 -0
data/lib/sslyze/xml/http_headers.rb +42 -0
data/lib/sslyze/xml/http_headers/http_public_key_pinning.rb +121 -0
data/lib/sslyze/xml/http_headers/http_strict_transport_security.rb +59 -0
data/lib/sslyze/xml/invalid_target.rb +33 -0
data/lib/sslyze/xml/openssl_ccs.rb +34 -0
data/lib/sslyze/xml/openssl_ccs/openssl_ccs_injection.rb +26 -0
data/lib/sslyze/xml/plugin.rb +27 -0
data/lib/sslyze/xml/protocol.rb +143 -0
data/lib/sslyze/xml/protocol/cipher_suite.rb +93 -0
data/lib/sslyze/xml/protocol/cipher_suite/key_exchange.rb +127 -0
data/lib/sslyze/xml/reneg.rb +28 -0
data/lib/sslyze/xml/reneg/session_renegotiation.rb +51 -0
data/lib/sslyze/xml/resum.rb +42 -0
data/lib/sslyze/xml/resum/session_resumption_with_session_ids.rb +94 -0
data/lib/sslyze/xml/resum/session_resumption_with_tls_tickets.rb +69 -0
data/lib/sslyze/xml/resum_rate.rb +30 -0
data/lib/sslyze/xml/target.rb +371 -0
data/lib/sslyze/xml/types.rb +19 -0
data/ruby-sslyze.gemspec +3 -3
data/spec/spec_helper.rb +2 -4
data/spec/sslyze.xml +2356 -2580
data/spec/x509/domain_spec.rb +125 -0
data/spec/x509/extension_set_spec.rb +208 -0
data/spec/x509/extension_spec.rb +58 -0
data/spec/x509/extensions/basic_constraints_spec.rb +41 -0
data/spec/x509/extensions/certificate_policies_spec.rb +38 -0
data/spec/x509/extensions/crl_distribution_points_spec.rb +38 -0
data/spec/x509/extensions/extended_key_usage_spec.rb +58 -0
data/spec/x509/extensions/key_usage_spec.rb +84 -0
data/spec/x509/extensions/subject_alt_name_spec.rb +146 -0
data/spec/x509/name_spec.rb +85 -0
data/spec/x509/public_key_spec.rb +113 -0
data/spec/xml/certinfo/certificate_spec.rb +166 -0
data/spec/xml/certinfo/certificate_validation/hostname_validation_spec.rb +23 -0
data/spec/xml/certinfo/certificate_validation/path_validation_spec.rb +107 -0
data/spec/xml/certinfo/certificate_validation/verified_certificate_chain_spec.rb +163 -0
data/spec/xml/certinfo/certificate_validation_spec.rb +40 -0
data/spec/xml/certinfo/ocsp_stapling/ocsp_response_spec.rb +61 -0
data/spec/xml/certinfo/ocsp_stapling_spec.rb +31 -0
data/spec/xml/certinfo/received_certificate_chain_spec.rb +165 -0
data/spec/xml/certinfo_spec.rb +45 -0
data/spec/xml/compression/compression_method_spec.rb +23 -0
data/spec/xml/compression_spec.rb +23 -0
data/spec/xml/heartbleed/openssl_heartbleed_spec.rb +17 -0
data/spec/xml/heartbleed_spec.rb +37 -0
data/spec/xml/http_headers/http_public_key_pinning_spec.rb +73 -0
data/spec/xml/http_headers/http_strict_transport_security_spec.rb +107 -0
data/spec/xml/http_headers_spec.rb +63 -0
data/spec/xml/invalid_target_spec.rb +23 -0
data/spec/xml/plugin_examples.rb +14 -0
data/spec/{key_exchange_spec.rb → xml/protocol/cipher_suite/key_exchange_spec.rb} +9 -3
data/spec/xml/protocol/cipher_suite_spec.rb +66 -0
data/spec/xml/protocol_spec.rb +115 -0
data/spec/xml/reneg/session_renegotiation_spec.rb +23 -0
data/spec/xml/reneg_spec.rb +35 -0
data/spec/xml/resum/session_resumption_with_session_ids_spec.rb +103 -0
data/spec/xml/resum/session_resumption_with_tls_tickets_spec.rb +121 -0
data/spec/xml/resum_rate_spec.rb +30 -0
data/spec/xml/resum_spec.rb +47 -0
data/spec/{target_spec.rb → xml/target_spec.rb} +73 -27
data/spec/xml_spec.rb +13 -21
metadata +138 -61
data/lib/sslyze/cert_info.rb +0 -57
data/lib/sslyze/certificate.rb +0 -139
data/lib/sslyze/certificate/extensions.rb +0 -127
data/lib/sslyze/certificate/extensions/authority_information_access.rb +0 -38
data/lib/sslyze/certificate/extensions/extension.rb +0 -26
data/lib/sslyze/certificate/extensions/x509v3_basic_constraints.rb +0 -60
data/lib/sslyze/certificate/extensions/x509v3_certificate_policies.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_crl_distribution_points.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_extended_key_usage.rb +0 -32
data/lib/sslyze/certificate/extensions/x509v3_key_usage.rb +0 -50
data/lib/sslyze/certificate/extensions/x509v3_subject_alternative_name.rb +0 -71
data/lib/sslyze/certificate/issuer.rb +0 -56
data/lib/sslyze/certificate/public_key.rb +0 -9
data/lib/sslyze/certificate/subject.rb +0 -117
data/lib/sslyze/certificate/subject_public_key_info.rb +0 -53
data/lib/sslyze/certificate/validity.rb +0 -9
data/lib/sslyze/certificate_chain.rb +0 -89
data/lib/sslyze/certificate_validation.rb +0 -70
data/lib/sslyze/cipher_suite.rb +0 -237
data/lib/sslyze/invalid_target.rb +0 -35
data/lib/sslyze/key_exchange.rb +0 -106
data/lib/sslyze/ocsp_response.rb +0 -87
data/lib/sslyze/protocol.rb +0 -133
data/lib/sslyze/target.rb +0 -312
data/lib/sslyze/types.rb +0 -17
data/spec/cert_info_spec.rb +0 -29
data/spec/certificate/subject_name_spec.rb +0 -72
data/spec/certificate_chain_spec.rb +0 -61
data/spec/certificate_spec.rb +0 -330
data/spec/certificate_validation_spec.rb +0 -39
data/spec/cipher_suite_spec.rb +0 -50
data/spec/invalid_target_spec.rb +0 -21
data/spec/issuer_spec.rb +0 -33
data/spec/ocsp_response_spec.rb +0 -59
data/spec/protocol_spec.rb +0 -99
data/spec/subject_public_key_info_spec.rb +0 -35
data/spec/subject_spec.rb +0 -69

data/lib/sslyze/version.rb CHANGED

@@ -1,4 +1,4 @@
 module SSLyze
   # ruby-sslyze version
-  VERSION = "0.2.1"
+  VERSION = '1.0.0'
 end

data/lib/sslyze/{certificate/domain_name.rb → x509/domain.rb} RENAMED

@@ -1,9 +1,11 @@
 module SSLyze
-  class Certificate
+  module X509
     #
     # Represents a domain name pattern.
     #
-    class DomainName
+    # @since 1.0.0
+    #
+    class Domain
       # The subject name.
       #
@@ -43,7 +45,7 @@ module SSLyze
       # @return [Boolean]
       #
       def ==(other)
-        @name == other.name
+        other.kind_of?(self.class) && @name == other.name
       end
       #

data/lib/sslyze/x509/extension.rb ADDED

@@ -0,0 +1,15 @@
+require 'delegate'
+module SSLyze
+  module X509
+    #
+    # Wraps around an [OpenSSL::X509::Extension][1] object.
+    #
+    # @see http://www.rubydoc.info/stdlib/openssl/OpenSSL/X509/Extension
+    #
+    # @since 1.0.0
+    #
+    class Extension < SimpleDelegator
+    end
+  end
+end

data/lib/sslyze/x509/extension_set.rb ADDED

@@ -0,0 +1,140 @@
+require 'sslyze/x509/extensions'
+module SSLyze
+  module X509
+    #
+    # Provides a Hash-like interface around an Array of
+    # [OpenSSL::X5095::Extension][1]s.
+    #
+    # [1]: http://www.rubydoc.info/stdlib/openssl/OpenSSL/X509/Extension
+    #
+    # @since 1.0.0
+    #
+    class ExtensionSet
+      include Enumerable
+      #
+      # Initializes the X509 extension set.
+      #
+      # @param [Array<OpenSSL::X509::Extension>] extensions
+      #   The array of extensions.
+      #
+      def initialize(extensions)
+        @extensions = Hash[extensions.map { |ext|
+          [ext.oid, ext]
+        }]
+      end
+      #
+      # Enumerates over the X509 extensions in the set.
+      #
+      # @yield [extension]
+      #
+      # @yieldparam [OpenSSL::X509::Extension] extension
+      #
+      # @return [Enumerator]
+      #
+      def each(&block)
+        @extensions.each_value(&block)
+      end
+      #
+      # Determines if the X509 extension exists in the set.
+      #
+      # @param [String] oid
+      #
+      # @return [Boolean]
+      #
+      def has?(oid)
+        @extensions.has_key?(oid)
+      end
+      #
+      # Looks up the X509 extension with the given name.
+      # @param [String] oid
+      #
+      # @return [OpenSSL::X509::Extension]
+      #
+      def [](oid)
+        @extensions[oid]
+      end
+      #
+      # Converts the X509 extension set to an Array.
+      #
+      # @return [Array<OpenSSL::X509::Extension>]
+      #
+      def to_a
+        @extensions.values
+      end
+      #
+      # The `basicConstraints` extension.
+      #
+      # @return [Extensions::BasicConstraints, nil]
+      #
+      def basic_constraints
+        @basic_constraints ||= if (ext = self['basicConstraints'])
+                                 Extensions::BasicConstraints.new(ext)
+                               end
+      end
+      #
+      # The `certificatePolicies` extension.
+      #
+      # @return [Extensions::CertificatePolicies, nil]
+      #
+      def certificate_policies
+        @certificate_policies ||= if (ext = self['certificatePolicies'])
+                                    Extensions::CertificatePolicies.new(ext)
+                                  end
+      end
+      #
+      # The `crlDistributionPoints` extension.
+      #
+      # @return [Extensions::CRLDistributionPoints, nil]
+      #
+      def crl_distribution_points
+        @crl_distribution_points ||= if (ext = self['crlDistributionPoints'])
+                                       Extensions::CRLDistributionPoints.new(ext)
+                                     end
+      end
+      #
+      # The `extendedKeyUsage` extension.
+      #
+      # @return [Extensions::ExtendedKeyUsage, nil]
+      #
+      def extended_key_usage
+        @extended_key_usage ||= if (ext = self['extendedKeyUsage'])
+                                  Extensions::ExtendedKeyUsage.new(ext)
+                                end
+      end
+      #
+      # The `keyUsage` extension.
+      #
+      # @return [Extensions::KeyUsage, nil]
+      #
+      def key_usage
+        @key_usage ||= if (ext = self['keyUsage'])
+                         Extensions::KeyUsage.new(ext)
+                       end
+      end
+      #
+      # The `subjectAltName` extension.
+      #
+      # @return [Extensions::SubjectAltName, nil]
+      #
+      def subject_alt_name
+        @subject_alt_name ||= if (ext = self['subjectAltName'])
+                                Extensions::SubjectAltName.new(ext)
+                              end
+      end
+    end
+  end
+end

data/lib/sslyze/x509/extensions.rb ADDED

@@ -0,0 +1,6 @@
+require 'sslyze/x509/extensions/basic_constraints'
+require 'sslyze/x509/extensions/certificate_policies'
+require 'sslyze/x509/extensions/crl_distribution_points'
+require 'sslyze/x509/extensions/extended_key_usage'
+require 'sslyze/x509/extensions/key_usage'
+require 'sslyze/x509/extensions/subject_alt_name'

data/lib/sslyze/x509/extensions/basic_constraints.rb ADDED

@@ -0,0 +1,41 @@
+require 'sslyze/x509/extension'
+module SSLyze
+  module X509
+    module Extensions
+      #
+      # Represents the `basicConstraints` X509v3 extension.
+      #
+      # @since 1.0.0
+      #
+      class BasicConstraints < Extension
+        #
+        # The value of the `CA` constraint.
+        #
+        # @return [Boolean, nil]
+        #
+        def ca?
+          if    value.include?('CA:TRUE') then true
+          elsif value.include?('CA:FALSE') then false
+          end
+        end
+        #
+        # The value of the `pathlen` constraint.
+        #
+        # @return [Integer, nil]
+        #
+        def path_length
+          @path_length ||= if (match = value.match(/pathlen:(\d+)/))
+                             match[1].to_i
+                           end
+        end
+        alias path_len path_length
+        alias pathlen path_length
+      end
+    end
+  end
+end

data/lib/sslyze/x509/extensions/certificate_policies.rb ADDED

@@ -0,0 +1,108 @@
+require 'sslyze/x509/extension'
+require 'uri'
+module SSLyze
+  module X509
+    module Extensions
+      #
+      # Represents the `certificatePolicies` X509v3 extension.
+      #
+      # @since 1.0.0
+      #
+      class CertificatePolicies < Extension
+        #
+        # Represents an individual certificate policy.
+        #
+        class Policy
+          # @return [String]
+          attr_reader :policy
+          # @return [URI::Generic, nil]
+          attr_reader :cps
+          # @return [String, nil]
+          attr_reader :user_notice
+          #
+          # Initializes the policy.
+          #
+          # @param [String] policy
+          #   The policy text.
+          #
+          # @param [Hash{Symbol => Object}] qualifiers
+          #
+          # @option qualifiers [URI::Generic, nil] :cps
+          #   The CPS URI.
+          #
+          # @option qualifiers [String, nil] :user_notice
+          #   The user notice.
+          #
+          def initialize(policy,qualifiers={})
+            @policy = policy
+            @cps         = qualifiers[:cps]
+            @user_notice = qualifiers[:user_notice]
+          end
+          alias to_uri cps
+          alias to_s policy
+        end
+        include Enumerable
+        #
+        # Parses the individual policies listed in the extension's value.
+        #
+        # @return [Array<Policy>]
+        #
+        def policies
+          # XXX: ugly multiline regexp to parse the certificate policies and
+          # their qualifiers.
+          @policies ||= value.scan(/^Policy: [^\n]+\n(?:  [^:]+: [^\n]+\n)*/m).map do |text|
+            policy = text.match(/^Policy: ([^\n]+)/)[1]
+            cps = if (match = text.match(/^  CPS: ([^\n]+)/m))
+                    URI.parse(match[1])
+                  end
+            user_notice = if (match = text.match(/^  User Notice: ([^\n]+)/m))
+                            match[1]
+                          end
+            Policy.new(policy, cps: cps, user_notice: user_notice)
+          end
+        end
+        #
+        # The number of certificate policies.
+        #
+        # @return [Integer]
+        #
+        def length
+          policies.length
+        end
+        #
+        # Enumerates over every certificate policy in the extension.
+        #
+        # @yield [policy]
+        #   The given block will be passed each parsed policy.
+        #
+        # @yieldparam [Policy] policy
+        #   A parsed certificate policy.
+        #
+        # @return [Enumerator]
+        #   If no block is given, an Enumerator will be returned.
+        #
+        def each(&block)
+          policies.each(&block)
+        end
+      end
+    end
+  end
+end

data/lib/sslyze/x509/extensions/crl_distribution_points.rb ADDED

@@ -0,0 +1,47 @@
+require 'sslyze/x509/extension'
+require 'uri'
+module SSLyze
+  module X509
+    module Extensions
+      #
+      # Represents the `crlDistributionPoints` X509v3 extension.
+      #
+      # @since 1.0.0
+      #
+      class CRLDistributionPoints < Extension
+        include Enumerable
+        #
+        # All `URI:` values.
+        #
+        # @return [Array<URI::Generic>]
+        #   All parsed `URI:` values from within the extension value.
+        #
+        def uris
+          @uris ||= value.scan(/URI:(.+)/).map { |(uri)| URI.parse(uri) }
+        end
+        #
+        # Enumerates over each {#uris uri} value within the
+        # `crlDistributionPoiints` extension.
+        #
+        # @yield [uri]
+        #   The given block will be passed each CRL URI.
+        #
+        # @yieldparam [URI::Generic] uri
+        #   A parsed `URI:` value from within the extension value.
+        #
+        # @return [Enumerator]
+        #   If no block is given, an Enumerator will be returned.
+        #
+        def each(&block)
+          uris.each(&block)
+        end
+      end
+    end
+  end
+end

data/lib/sslyze/x509/extensions/extended_key_usage.rb ADDED

@@ -0,0 +1,58 @@
+require 'sslyze/x509/extension'
+module SSLyze
+  module X509
+    module Extensions
+      #
+      # Represents the `extendedKeyUsage` X509v3 extension.
+      #
+      # @since 1.0.0
+      #
+      class ExtendedKeyUsage < Extension
+        include Enumerable
+        #
+        # The allowed extended key uses.
+        #
+        # @return [Array<String>]
+        #
+        def uses
+          @uses ||= value.split(', ')
+        end
+        #
+        # Enumerates over the allowed extended key uses.
+        #
+        # @yield [use]
+        #
+        # @yieldparam [String] use
+        #
+        # @return [Enumerator]
+        #
+        def each(&block)
+          uses.each(&block)
+        end
+        #
+        # Determines if TLS Web Server Authentication is allowed.
+        #
+        # @return [Boolean]
+        #
+        def tls_web_server_authentication?
+          uses.include?('TLS Web Server Authentication')
+        end
+        #
+        # Determines if TLS Web Client Authentication is allowed.
+        #
+        # @return [Boolean]
+        #
+        def tls_web_client_authentication?
+          uses.include?('TLS Web Client Authentication')
+        end
+      end
+    end
+  end
+end